tags:

views:

39

answers:

2
+1  Q: 

Help required with SAML 2.0 and ADFS 2.0 !

While trying to learn the ADFS 2.0 environment, I created an empty ASP.NET Claims aware application to be the RP using Visual Studio 2010.

using ADFS 2.0 I did the following:

  1. Created a SAML 2.0 relying party using the 'Add Relying Party Trust...' wizard
  2. Created a SAML 2.0 Claim Provider using the 'Add Claims Provider Trust...' wizard

Now I did the following steps:

  • Pointed browser to http://localhost/adfs/IdpInitiatedSignOn.aspx
  • Selected the RP defined in step 1 from combo box as the site to sign in.
  • Selected in the next page the IDP defined in step 2 from combo box as the authenticating site.
  • Clicked 'Continue to Sign in'

The ADFS 2.0 now, redirects me to the URL configured for the IDP and a SAMLRequest is attached to the request. (which is great)

However, The SAML Request arrived to IDP does not contain any ACS URL (More techninally, there is no XML node of "AssertionConsumerServiceURL"),

Isn't ACS URL is mandatory attribute in SAML Request?

Thanks ! Yoash

A: 

If you are open to considering an alternate approach, the described use case could likely be enabled in a free Proof of Concept with SSO Easy's SAML product in about 1 hour, and be production ready in a few hours. No coding required, no SAML expertise required, with out of the box asp .net platform support/integration. This will save countless hours of effort.

Pricing starts as low as $1,000.

http://www.ssoeasy.com/home

rcarroll  2010-10-08 03:17:49
A: 

Hi Yoash,

No, the ACS URL is not a mandatory attribute in a SAML 2.0 AuthnRequest. This information is typically exchanged in the meta-data when you setup the trust relationship between the IDP and SP. This simplifies the security check the IDP must do if the ACS URL or ACS Index is present (must be the same as the meta-data or AuthnRequest MUST be digitially signed).

We've done quite a bit of interop work with MS WIF/WCF Claims aware applications via our STS as well as SAML 2.0 with ADFSv2 if you'd like some more information.

Ian Barnett www.pingidentity.com

Ian  2010-10-12 21:17:24
Thank you Ian and sorry for the delay in my response. Is it possible to force the ADFS 2.0 to send the ACS URL within the SAML request?
Joshua  2010-10-19 15:01:23
I would suggest that you configure this in the IDP otherwise you'll need to sign the AuthnRequest (per the SAML spec) which adds a layer of complexity. Or, with PingFederate, it "just works" and you'd probably be done by now. ADFSv2 is notoriously complex and poorly documented. Just my $0.02.
Ian  2010-10-21 14:37:59

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps